HTTP Communication
HTTP is a standard Client-Server protocol.
Client establishes a TCP connection with the server on port 80.
Client sends a HTTP request over that TCP connection.
Server replies.
Sends a response.
HTTP 1.0: Closes the connection.
HTTP 1.1/2: May keep it persistent for some time.
Server only issues replies to requests.
It may never contact clients directly.
Actually, servers can contact clients directly with WebSockets.
Great for low latency asynchronous communications (e.g. VoIP, telemetry).
Nightmare for security!
Client upgrades connection to a WebSocket.
Any participant can send message.
No polling is required. Usually no log is done.
Client and server must know the message format.
Request
Response
Anything can be a client
Many programs can communicate with HTTP servers.
A socket is all that is required.
Even Bash can do it.
There is no client-side security model.
All parts of a request can be crafted.
HTTP Headers, Methods, URLs
POST content can be manipulated freely.
Control must reside in the server-side context.
Remember that developers are pushing content to the client?
There are no input validation processes in the server.
As long as the HTTP protocol is "generally" observed.
Last updated